The FTC Enforces Against Inadequate Vetting of Third-party Vendors
28 December 2020
Technology & eCommerce Regulation in the Spotlight
The Federal Trade Commission (“FTC“) has recently announced a proposed settlement with Ascension Data & Analytics, LLC (“Ascension“), over the allegation that Ascension failed to ensure one of its vendors was adequately securing consumers’ data.
According to the FTC, one of Ascension’s service providers stored documents containing sensitive information of Ascension’s consumers (such as social security numbers) on a cloud-based server in plain text, without any protections from unauthorized access. The FTC further alleged that because of these inadequate protections, the data was repeatedly subject to unauthorized access.
In its complaint, which is based on the Gramm-Leach Bliley Act (“GLBA“), the FTC alleged that Ascension, a mortgage industry data analytics company, failed to adequately vet its vendors and that its contracts with vendors did not require them to safeguard the information.
The FTC alleged that although Ascension had an internal “Third-party Vendor Risk Management” policy, it did not comply with it and failed to conduct risk assessments of all of its third-party vendors. The GLBA requires covered entities to maintain comprehensive information security programs. These programs must include overseeing of the entities’ third-party vendors, by ensuring they are capable of implementing and maintaining appropriate safeguards, and requiring them to do so by contract.
As part of the settlement, Ascension is prohibited from collecting, processing or transferring any sensitive information, prior to the implementation of a comprehensive data security program. This program has to impose at least the same security requirements on the company’s vendors. Ascension must also undergo biennial assessments of the program’s effectiveness, by an independent assessor, approved by the FTC. Ascension is also required to annually certify, by a senior company executive, that it is complying with the order, and to report any future data breaches to the FTC within 10 days of notifying other federal or state government agencies.
This enforcement action by the FTC joins its recent settlement with Zoom over its information security practices, which we previously reported about. The importance of adequate vetting procedures was also emphasized by EU regulators in a number of regulatory developments with regard to international transfers of personal data. For example, as we recently reported, vetting procedures are a part of the European Data Protection Board’s recommendations on the measures to supplement data transfer tools.
These recent enforcement and regulatory actions highlight the increased scrutiny over adequate vetting of service providers to whom data is transferred to. Feel free to contact us if you have any question regarding your company’s procedures and the influence of these recent developments on them.
****************************************
Feel free to contact us with any further question or comments regarding the update and subjects detailed above.
Kind regards,
Ariel Yosefi, Partner
Head of Technology & eCommerce Regulation
Herzog Fox & Neeman